Forum Discussion

Amit_Trivedi112214's avatar
Amit_Trivedi112214
Copper Contributor
Feb 10, 2020

Device Migration from On-prem AD to Azure AD

Hello All,   We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we woul...
Azure Active Directory (AAD)
microsoft intune
DeyKilledKenny's avatar
DeyKilledKenny
Copper Contributor
Oct 09, 2020
Correct, it's half of the answer because we haven't found a way to do it seamlessly (without wiping the devices), hence i said we found a work around. it's not the best solution, but that keeps our business running and met our requirements in a way.
If we find a better way to do it with coming days, I will update this thread for sure.
Khirtah's avatar
Khirtah
Copper Contributor
Nov 03, 2020
Hi,

Did you tried to :
Create a local admin account and export hash to intune.
Disconnect user from local domaine.
Connect to azure AD.
Disconnect from local admin account and connect with azure AD USERNAME, that starts enrollment and you Can see in intune you have an autopilote manged machine.
I tried that Without resetting computer.
  • 0--O1's avatar
    0--O1
    Copper Contributor
    May 07, 2021

    Hi there,

    okay, a little bit late, but this results that users get a new profiles. And this action takes a very long time (about 3 hours while changing from local ad to azure ad). There is probably an very long error timeout.
    That is not a top solution.

    Researching for best practice. Perhaps with SCCM on prem support.

    • jfaverman's avatar
      jfaverman
      Copper Contributor
      Aug 11, 2021

      0--O1  There is a Microsoft article on this.  When you unjoin a computer from an AD Domain and move it to a workgroup, Windows will use the domain name as the workgroup name.  Then when you try to Azure AD Join the computer, the computer will start looking for the AD domain.  It will stop looking in 3 hours (times-out).  To work around this, when you unjoin the computer from AD, change the workgroup name to anything else that is not the name of the AD (e.g., change it to Workgroup).  Then when you Azure AD Join the computer, it happens in real time. 

    • Chris-Yue's avatar
      Chris-Yue
      Iron Contributor
      May 11, 2021

      Our devices are currently Hybrid Azure AD Joined and I am considering moving new devices over to Azure AD joined to simplify enrolment to Windows Hello for Business and Autopilot.

       

      The only downsides I could see is as follows:

      No login scripts will run at sign in when connected to the LAN
      No Group Policy control
      No granular control regarding local admin rights to the local device (it is all or nothing)

       

      Just wondering if anyone has found any other disadvantages/benefits and what motivated you to consider making the change over to Azure AD Joined?

       

      • David Stowers's avatar
        David Stowers
        Copper Contributor
        May 14, 2021

        Chris-Yue With workforce scattered everywhere using on-prem creds is a challenge.  I am a fan of using MECM to enable comanagement and then at the next cycle redeploy the machines with AzureAD only using an autopilot Json file during OOBE to lock in the domain and make sure it is setup for MDM.  I have found replacements within Intune for most GPO  functions and not getting constantly hung up in whether they are doing sync or async processing simplifies things, especially with them not being on-prem much at the moment.

Resources